chore(hardening): tighten security and footprint defaults

This commit is contained in:
2026-04-24 19:03:57 +01:00
parent 55b34d8ffc
commit b333c6229e
36 changed files with 8702 additions and 254 deletions

View File

@@ -111,6 +111,8 @@ jobs:
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
components: rustfmt, clippy
# Cache the Cargo target dir + registry per OS so the heavy
# whisper-rs-sys C++ build only happens on a clean cache.
@@ -128,12 +130,24 @@ jobs:
- name: cargo check (workspace)
run: cargo check --workspace --all-targets
- name: cargo fmt
run: cargo fmt --all -- --check
- name: cargo clippy
run: cargo clippy --workspace --all-targets -- -D warnings
# Library tests only — no runtime/GPU deps. Linux-gated to keep
# the macOS + Windows legs focused on compile coverage.
- name: cargo test (workspace, libs)
if: matrix.os == 'ubuntu-22.04'
run: cargo test --workspace --lib
- name: cargo audit
if: matrix.os == 'ubuntu-22.04'
run: |
cargo install cargo-audit --locked
cargo audit
frontend:
name: svelte build + lint
runs-on: ubuntu-22.04
@@ -150,6 +164,9 @@ jobs:
- name: Install JS deps
run: npm ci
- name: npm audit
run: npm audit --audit-level=high
# `tauri build` inside check.yml would trigger the full Rust build
# which is owned by the rust job. Here we only validate that the
# Svelte/Vite frontend compiles cleanly.